rysktkr

Honorary Members

View Profile See their activity

Posts
95
Joined
June 28, 2011
Last visited
July 6, 2012

Content Type

All Activity

Events

Profiles

Forums

Topics
Posts

Everything posted by rysktkr

Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Here are the results: All processes killed Error: Unable to interpret <:OTLIE - HKU\.DEFAULT\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value foundIE - HKU\S-1-5-18\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found:Commands[emptytemp][clearallrestorepoints]> in the current context! OTL by OldTimer - Version 3.2.53.0 log created on 06302012_091319 Files\Folders moved on Reboot... PendingFileRenameOperations files... Registry entries deleted on Reboot...
- June 30, 2012
- 23 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Here is the initial startup scan: GMER 1.0.15.15641 - http://www.gmer.net Rootkit quick scan 2012-06-30 08:59:04 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDS5C3020ALA632 rev.ML6OA580 Running: 10cy7byw.exe; Driver: C:\DOCUME~1\ADMINI~1.MYP\LOCALS~1\Temp\fgtdypog.sys ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat stcvsm.sys (StorageCraft Volume Snapshot Driver/StorageCraft Technology Corporation) ---- EOF - GMER 1.0.15 ----
- June 30, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

I have not been able to get GMER to successfullly complete after 2 attempts. GMER stalls in the middle and I see some dialogue boxes complaining about visual C error. Don't now if this is related to GMER stalling but both times they were there. Additionally, last couple of times I rebooted the computer went into chkdsk mode for C: drive. It found descriptor a error and also recovered a number of orphaned files. The good news is my desktop background is back to the original and I also have my office toolbar back. I will attempt to run GMER a third time after a fresh reboot.
- June 30, 2012
- 77 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

OTL Extras logfile created on: 6/29/2012 4:22:09 PM - Run 1 OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\Linda\Downloads Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1013.33 Mb Total Physical Memory | 73.02 Mb Available Physical Memory | 7.21% Memory free 2.80 Gb Paging File | 1.10 Gb Available in Paging File | 39.39% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 69.77 Gb Total Space | 11.52 Gb Free Space | 16.51% Space Free | Partition Type: NTFS Drive D: | 69.52 Gb Total Space | 50.88 Gb Free Space | 73.19% Space Free | Partition Type: NTFS Computer Name: FALLON-LAPTOP | User Name: Linda | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Extra Registry (SafeList) ========== ========== File Associations ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>] .cpl [@ = cplfile] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* .hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation) ========== Shell Spawning ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command] batfile [open] -- "%1" %* cmdfile [open] -- "%1" %* comfile [open] -- "%1" %* cplfile [cplopen] -- rundll32.exe shell32.dll,Control_RunDLL "%1",%* exefile [open] -- "%1" %* helpfile [open] -- Reg Error: Key error. hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation) piffile [open] -- "%1" %* regfile [merge] -- Reg Error: Key error. scrfile [config] -- "%1" scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l scrfile [open] -- "%1" /S txtfile [edit] -- Reg Error: Key error. Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation) Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) Folder [open] -- %SystemRoot%\Explorer.exe /separate,/idlist,%I,%L (Microsoft Corporation) Folder [explore] -- %SystemRoot%\Explorer.exe /separate,/e,/idlist,%I,%L (Microsoft Corporation) Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation) ========== Security Center Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center] "cval" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall] "DisableMonitoring" = 1 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc] "AntiVirusOverride" = 1 "AntiSpywareOverride" = 0 "FirewallOverride" = 0 "VistaSp1" = Reg Error: Unknown registry data type -- File not found "VistaSp2" = Reg Error: Unknown registry data type -- File not found [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\Vol] ========== System Restore Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore] "DisableSR" = 0 ========== Firewall Settings ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\WindowsFirewall\StandardProfile] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile] "DisableNotifications" = 0 "EnableFirewall" = 1 ========== Authorized Applications List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] ========== Vista Active Open Ports Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{0674CF8F-199D-42F7-9A3E-0680A9D92177}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{5A6D435F-FEB0-419C-AF01-DFB71B9D3803}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{73E09230-689B-4E6E-BE18-5BA6D7150264}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{DD69E5BC-D277-43F0-AA9C-DBA8FA9920AA}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{E40C075D-CEBA-4C09-B9F4-E12609EACC70}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{E73C8F30-7300-41B6-9930-53907B5878B3}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{F31FC199-2675-4C6E-8839-79E2C8F1A24E}" = lport=990 | protocol=6 | dir=in | svc=rapimgr | app=%systemroot%\system32\svchost.exe | "{F5DB00C6-9A75-46CA-8569-2500735338C2}" = rport=5679 | protocol=17 | dir=out | svc=rapimgr | app=%systemroot%\system32\svchost.exe | ========== Vista Active Application Exception List ========== [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules] "{081A4CD1-C0B2-4368-8E71-24E124956C7B}" = dir=in | app=c:\program files\acer\homemedia\homemedia.exe | "{10740A29-CF7B-405B-88FE-D8FD5C55683D}" = dir=in | app=c:\program files\cyberlink\powerdvd9\powerdvd cinema\powerdvdcinema.exe | "{1DAFBD79-0432-440C-A655-2906C5B595D4}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe | "{2A9FC568-5005-4BFB-834D-68EB95BCE3E2}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\smc.exe | "{2F1B97F6-1106-40D0-92CE-A1C4CDC4541A}" = dir=in | app=c:\program files\acer\acer arcade\kernel\dmp\clbrowserengine.exe | "{35EE5240-5166-406B-84B8-ED1C4AF0592C}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{3D3D4454-AA33-41F6-A4FC-0F5A3B9E051C}" = dir=in | app=c:\program files\cyberlink\powerdvd9\powerdvd9.exe | "{4B08337C-88B3-402B-AF73-5F3E95BDB5DF}" = dir=in | app=c:\program files\acer\acer arcade\powercinema.exe | "{54165D62-39B8-4B1B-A553-E9E57EDAA749}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{77E46DE3-774F-4507-A918-63D912450DEE}" = protocol=6 | dir=in | app=c:\program files\itunes\itunes.exe | "{8D4FC9BB-F820-41AE-A5C6-BB1B8A4C62AB}" = protocol=6 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{928079C7-9278-476D-A392-DF3B408FD630}" = dir=in | app=c:\program files\acer\acer arcade\kernel\dms\clmsservice.exe | "{9CDEF0E9-EF51-43A1-91CE-76CDDFFF800A}" = protocol=17 | dir=in | app=c:\program files\bonjour\mdnsresponder.exe | "{A2C91B1F-23DD-4A0A-8096-761E566D59D2}" = dir=in | app=c:\program files\acer\acer arcade\pcmservice.exe | "{D44762BA-9648-4C43-ACA5-2B1E873A7ABF}" = protocol=6 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe | "{D8B59997-BAAD-4F27-815F-AF5B1168A1EF}" = protocol=17 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | "{F235D674-4139-4CE8-AC82-6A43B74D4A4D}" = protocol=17 | dir=in | app=c:\program files\itunes\itunes.exe | "{F3FA8232-89CF-4FC0-953F-BACBAD53D4FF}" = protocol=17 | dir=in | app=c:\program files\symantec\symantec endpoint protection\snac.exe | "{FD2C9F25-7866-401D-B614-213048EC7031}" = protocol=6 | dir=in | app=c:\program files\common files\symantec shared\ccapp.exe | "TCP Query User{4AD9C690-F277-48AF-A2BE-CFBBA6D59238}C:\program files\sling media\slingplayer\slingplayer.exe" = protocol=6 | dir=in | app=c:\program files\sling media\slingplayer\slingplayer.exe | "TCP Query User{4B9A7058-EE3D-47D7-99DB-429A19D23B7B}C:\program files\i spy spooky mansion\_spooky.exe" = protocol=6 | dir=in | app=c:\program files\i spy spooky mansion\_spooky.exe | "TCP Query User{BCA2951E-2E97-4C3C-8591-D8B3C92B948F}C:\program files\i spy spooky mansion\_spooky.exe" = protocol=6 | dir=in | app=c:\program files\i spy spooky mansion\_spooky.exe | "TCP Query User{F299DDEA-1267-4C1E-AA86-52FC834040F0}C:\program files\internet explorer\iexplore.exe" = protocol=6 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{3EFBC099-61AE-42EB-B70D-2050BA44C8CA}C:\program files\sling media\slingplayer\slingplayer.exe" = protocol=17 | dir=in | app=c:\program files\sling media\slingplayer\slingplayer.exe | "UDP Query User{9F76AD5A-D312-4E44-A910-2C52E9F7916D}C:\program files\internet explorer\iexplore.exe" = protocol=17 | dir=in | app=c:\program files\internet explorer\iexplore.exe | "UDP Query User{A25E4FE8-4F36-477B-BD29-12B164A366B4}C:\program files\i spy spooky mansion\_spooky.exe" = protocol=17 | dir=in | app=c:\program files\i spy spooky mansion\_spooky.exe | "UDP Query User{C0898B92-6D80-4BFF-BA36-F2AF44D9B58A}C:\program files\i spy spooky mansion\_spooky.exe" = protocol=17 | dir=in | app=c:\program files\i spy spooky mansion\_spooky.exe | ========== HKEY_LOCAL_MACHINE Uninstall List ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall] "{11316260-6666-467B-AC34-183FCB5D4335}" = Acer Mobility Center Plug-In "{116FF17B-1A30-4FC2-9B01-5BC5BD46B0B3}" = Acer eLock Management "{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker "{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7 "{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer "{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer "{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Acer Arcade "{3364BD16-5A28-4862-86A1-A8FF5FD23919}" = Music Rescue "{3BAB4914-9CC1-4CC2-A3DA-56EF62DFD373}" = Symantec Endpoint Protection "{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile "{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer "{45A66726-69BC-466B-A7A4-12FCBA4883D7}" = HiJackThis "{57752979-A1C9-4C02-856B-FBB27AC4E02C}" = QuickTime "{58E5844B-7CE2-413D-83D1-99294BF6C74F}" = Acer ePower Management "{65DA2EC9-0642-47E9-AAE2-B5267AA14D75}" = Activation Assistant for the 2007 Microsoft Office suites "{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works "{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable "{79DD56FC-DB8B-47F5-9C80-78B62E05F9BC}" = Acer ScreenSaver "{7E6066E6-8B5B-4100-B0FA-1D9E9B663CBA}" = iTunes "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-110111700}" = Zuma Deluxe "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11029123}" = Bricks of Egypt "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111263673}" = Treasures of the Deep "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111271497}" = Mystery Case Files - Prime Suspects "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111307457}" = Galapago "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111310630}" = Big Kahuna Reef 2 "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111473353}" = Dynasty "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-11170417}" = Luxor 2 "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-111771833}" = Jewel Quest Solitaire "{82C36957-D2B8-4EF2-B88C-5FA03AA848C7-112179547}" = Mystery Case Files Ravenhearst "{90280409-6000-11D3-8CFE-0050048383C9}" = Microsoft Office XP Professional with FrontPage "{94389919-B0AA-4882-9BE8-9F0B004ECA35}" = Acer Tour "{9F72EF8B-AEC9-4CA5-B483-143980AFD6FD}" = ALPS Touch Pad Driver "{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9 "{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}" = Google Update Helper "{AB6097D9-D722-4987-BD9E-A076E2848EE2}" = Acer Empowering Technology "{AC76BA86-7AD7-1033-7B44-A81000000003}" = Adobe Reader 8.1.0 "{AEEAE013-92F1-4515-B278-139F1A692A36}" = Acer eDataSecurity Management "{B3575D00-27EF-49C2-B9E0-14B3D954E992}" = Apple Application Support "{B7A0CE06-068E-11D6-97FD-0050BACBF861}" = PowerProducer 3.72 "{BA165460-FCF7-4D6C-A7A2-F2321700720F}" = MobileMe Control Panel "{BF839132-BD43-4056-ACBF-4377F4A88E2A}" = Acer ePresentation Management "{C06554A1-2C1E-4D20-B613-EE62C79927CC}" = Acer eNet Management "{C23CD6DA-1958-43A5-ADD0-59396572E02E}" = Apple Mobile Device Support "{C2E4B5BD-32DB-4817-A060-341AB17C3F90}" = Bonjour "{C6579A65-9CAE-4B31-8B6B-3306E0630A66}" = Apple Software Update "{C7340571-7773-4A8C-9EBC-4E4243B38C76}" = Microsoft XML Parser "{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1 "{CE386A4E-D0DA-4208-8235-BCE43275C694}" = LightScribe 1.4.142.1 "{CE65A9A0-9686-45C6-9098-3C9543A412F0}" = Acer eSettings Management "{D90AFDE3-3E67-407A-ACA8-F0BAAD012F08}" = Safari "{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver "{FB26A501-6BA6-459B-89AA-9736730752FB}" = VoiceOver Kit "Acer Assist" = Acer Assist "Acer Registration" = Acer Registration "Activation Assistant for the 2007 Microsoft Office suites" = Activation Assistant for the 2007 Microsoft Office suites "Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX "Adobe Shockwave Player" = Adobe Shockwave Player 11.5 "Agere Systems Soft Modem" = Agere Systems HDA Modem "Disney Toontown Online" = Disney Toontown Online "DVDFab 8 Qt_is1" = DVDFab 8.1.2.0 (15/09/2011) Qt "ESET Online Scanner" = ESET Online Scanner v3 "GridVista" = Acer GridVista "HDMI" = Intel® Graphics Media Accelerator Driver "InstallShield_{1577A05B-EE62-4BBC-9DB7-FE748FA44EC2}" = NTI CD & DVD-Maker "InstallShield_{1598034D-7147-432C-8CA8-888E0632D124}" = NTI Backup NOW! 4.7 "InstallShield_{3D08333C-C366-425D-8C2D-D05630D68A46}" = SlingPlayer "InstallShield_{A8516AC9-AAF1-47F9-9766-03E2D4CDBCF8}" = CyberLink PowerDVD 9 "LiveUpdate" = LiveUpdate 3.3 (Symantec Corporation) "LManager" = Launch Manager "MAGIX Ringtone Maker 2 e-version US" = MAGIX Ringtone Maker 2 e-version (US) "Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.61.0.1400 "Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1 "Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile "Mozilla Firefox 5.0 (x86 en-US)" = Mozilla Firefox 5.0 (x86 en-US) "Registry Mechanic_is1" = Registry Mechanic 10.0 "Warcraft III" = Warcraft III "WebSlingPlayer ActiveX" = WebSlingPlayer ActiveX "WinRAR archiver" = WinRAR archiver ========== Last 20 Event Log Errors ========== [ Application Events ] Error - 2/28/2011 10:07:32 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 22526 Error - 2/28/2011 10:07:32 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 22526 Error - 2/28/2011 10:07:33 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 2/28/2011 10:07:33 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 23571 Error - 2/28/2011 10:07:33 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 23571 Error - 2/28/2011 10:07:34 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 2/28/2011 10:07:34 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 24695 Error - 2/28/2011 10:07:34 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledSPRetry 24695 Error - 2/28/2011 10:07:42 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: Continuously busy for more than a second Error - 2/28/2011 10:07:42 PM | Computer Name = Fallon-Laptop | Source = Bonjour Service | ID = 100 Description = Task Scheduling Error: m->NextScheduledEvent 32682 [ System Events ] Error - 6/27/2012 3:46:28 PM | Computer Name = Fallon-Laptop | Source = Service Control Manager | ID = 7023 Description = Error - 6/27/2012 3:46:53 PM | Computer Name = Fallon-Laptop | Source = Service Control Manager | ID = 7011 Description = Error - 6/27/2012 3:46:55 PM | Computer Name = Fallon-Laptop | Source = DCOM | ID = 10010 Description = Error - 6/27/2012 3:47:23 PM | Computer Name = Fallon-Laptop | Source = Service Control Manager | ID = 7011 Description = Error - 6/27/2012 3:47:53 PM | Computer Name = Fallon-Laptop | Source = Service Control Manager | ID = 7011 Description = Error - 6/27/2012 5:41:47 PM | Computer Name = Fallon-Laptop | Source = EventLog | ID = 6008 Description = The previous system shutdown at 1:09:51 PM on 6/27/2012 was unexpected. Error - 6/28/2012 6:21:27 AM | Computer Name = Fallon-Laptop | Source = DCOM | ID = 10010 Description = Error - 6/28/2012 6:21:58 AM | Computer Name = Fallon-Laptop | Source = DCOM | ID = 10010 Description = Error - 6/28/2012 3:31:20 PM | Computer Name = Fallon-Laptop | Source = Microsoft-Windows-Kernel-General | ID = 5 Description = Error - 6/29/2012 9:01:20 AM | Computer Name = Fallon-Laptop | Source = ACPI | ID = 327693 Description = : The embedded controller (EC) did not respond within the specified timeout period. This may indicate that there is an error in the EC hardware or firmware or that the BIOS is accessing the EC incorrectly. You should check with your computer manufacturer for an upgraded BIOS. In some situations, this error may cause the computer to function incorrectly. < End of report >
- June 29, 2012
- 23 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

On my other computer we were not able to detect ZeroAcces infection with MBAM. We only found it using combofix. OTL logfile created on: 6/29/2012 4:22:09 PM - Run 1 OTL by OldTimer - Version 3.2.53.0 Folder = C:\Users\Linda\Downloads Windows Vista Home Basic Edition Service Pack 2 (Version = 6.0.6002) - Type = NTWorkstation Internet Explorer (Version = 9.0.8112.16421) Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy 1013.33 Mb Total Physical Memory | 73.02 Mb Available Physical Memory | 7.21% Memory free 2.80 Gb Paging File | 1.10 Gb Available in Paging File | 39.39% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 69.77 Gb Total Space | 11.52 Gb Free Space | 16.51% Space Free | Partition Type: NTFS Drive D: | 69.52 Gb Total Space | 50.88 Gb Free Space | 73.19% Space Free | Partition Type: NTFS Computer Name: FALLON-LAPTOP | User Name: Linda | Logged in as Administrator. Boot Mode: Normal | Scan Mode: All users | Quick Scan Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days ========== Processes (SafeList) ========== PRC - [2012/06/29 16:21:30 | 000,596,992 | ---- | M] (OldTimer Tools) -- C:\Users\Linda\Downloads\OTL.exe PRC - [2012/03/03 00:27:11 | 000,307,824 | ---- | M] (Google Inc.) -- C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe PRC - [2011/12/26 11:33:38 | 000,247,968 | ---- | M] (Adobe Systems, Inc.) -- C:\Windows\System32\Macromed\Flash\FlashUtil11e_ActiveX.exe PRC - [2011/07/19 22:30:16 | 000,208,896 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Users\Linda\AppData\Local\temp\RtkBtMnt.exe PRC - [2010/08/05 09:46:08 | 001,594,328 | ---- | M] (PC Tools) -- C:\Program Files\Registry Mechanic\Upgrade.exe PRC - [2010/08/05 09:46:02 | 000,583,640 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe PRC - [2010/08/05 09:46:02 | 000,104,408 | ---- | M] (PC Tools) -- C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe PRC - [2009/04/10 23:27:36 | 002,926,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2009/03/30 17:54:16 | 000,075,048 | ---- | M] (cyberlink) -- C:\Program Files\CyberLink\Shared Files\brs.exe PRC - [2009/03/30 14:07:34 | 000,115,560 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccApp.exe PRC - [2009/03/30 14:07:34 | 000,108,392 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe PRC - [2009/03/30 14:07:32 | 002,440,120 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe PRC - [2009/03/30 14:07:32 | 001,795,400 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe PRC - [2009/03/30 14:07:32 | 001,443,144 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe PRC - [2009/02/16 09:55:38 | 000,087,336 | ---- | M] (CyberLink Corp.) -- C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe PRC - [2007/07/15 22:51:44 | 000,768,520 | ---- | M] (Dritek System Inc.) -- C:\Program Files\Launch Manager\LManager.exe PRC - [2007/07/05 20:06:00 | 004,669,440 | ---- | M] (Realtek Semiconductor) -- C:\Windows\RtHDVCpl.exe PRC - [2007/06/21 18:25:46 | 000,118,464 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe PRC - [2007/06/21 18:25:44 | 000,257,736 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe PRC - [2007/06/21 18:25:22 | 000,155,648 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Acer\Acer Arcade\PCMService.exe PRC - [2007/06/21 18:24:12 | 001,076,832 | ---- | M] (Cyberlink) -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe PRC - [2007/06/05 10:13:28 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe PRC - [2007/05/22 15:00:04 | 000,753,664 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNMTray.exe PRC - [2007/05/22 15:00:02 | 000,135,168 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eNet\eNet Service.exe PRC - [2007/05/16 22:15:22 | 000,163,840 | ---- | M] (acer) -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe PRC - [2007/05/16 18:37:26 | 000,528,384 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\ePower\ePower_DMC.exe PRC - [2007/04/25 16:34:30 | 000,457,512 | ---- | M] (HiTRSUT) -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe PRC - [2007/04/25 16:33:36 | 000,457,216 | ---- | M] (HiTRUST) -- C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe PRC - [2007/04/25 11:35:56 | 000,323,584 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.Supervisor.exe PRC - [2007/03/14 10:52:30 | 000,024,576 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe PRC - [2007/02/13 07:26:50 | 000,053,248 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe PRC - [2007/02/09 07:35:54 | 000,397,312 | ---- | M] (Acer Inc.) -- C:\Acer\Empowering Technology\eRecovery\eRAgent.exe PRC - [2007/01/26 14:24:42 | 000,050,688 | ---- | M] () -- C:\Acer\ALaunch\ALaunchSvc.exe PRC - [2006/11/24 12:57:54 | 000,107,008 | ---- | M] () -- C:\Acer\Mobility Center\MobilityService.exe PRC - [2006/11/02 05:34:44 | 000,176,128 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\wpcumi.exe PRC - [2006/11/02 02:45:59 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdSync.exe PRC - [2006/10/04 21:10:12 | 000,009,216 | ---- | M] (Agere Systems) -- C:\Windows\System32\agrsmsvc.exe ========== Modules (No Company Name) ========== MOD - [2012/06/27 15:08:19 | 000,212,992 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\8bbcd31ecc8edc7d1f9cdd83ef2bb2d3\System.ServiceProcess.ni.dll MOD - [2012/06/27 15:07:25 | 011,820,032 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\508b444db523c5cf20ff12c7f440837b\System.Web.ni.dll MOD - [2012/06/27 12:39:20 | 012,433,920 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\f2691cfa7671cdc58179e56ba9227591\System.Windows.Forms.ni.dll MOD - [2012/06/27 12:37:12 | 001,592,320 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\18f9789aa214c657113e676b3a9015aa\System.Drawing.ni.dll MOD - [2012/06/26 14:16:53 | 000,998,400 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\f3d4d5fe5ab848fbfcf91a49960dc8ae\System.Management.ni.dll MOD - [2012/06/26 14:10:44 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\846b9cf2756fdd15f704c9bab9c70b6f\System.Runtime.Remoting.ni.dll MOD - [2012/06/26 14:10:04 | 000,971,264 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\bd76aaaa03ddc15d1840207b5a480644\System.Configuration.ni.dll MOD - [2012/06/26 12:19:56 | 005,450,752 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\d2630342a066a7cb9056d9eb6157687a\System.Xml.ni.dll MOD - [2012/06/26 12:17:37 | 007,953,408 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\28d633338fc8d29f8af31935ef7d001b\System.ni.dll MOD - [2012/06/26 12:17:06 | 011,492,352 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\af9c9e9d7e0523cd444f8b551baa9cbf\mscorlib.ni.dll MOD - [2010/03/15 16:57:20 | 000,067,872 | ---- | M] () -- C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll MOD - [2009/08/16 18:06:02 | 000,141,312 | ---- | M] () -- C:\util\WinRAR\RarExt.dll MOD - [2007/06/21 18:25:52 | 000,192,616 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapEngine.dll MOD - [2007/06/21 18:25:52 | 000,061,538 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSchMgr.dll MOD - [2007/06/21 18:25:52 | 000,028,672 | ---- | M] () -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvcps.dll MOD - [2007/06/05 10:13:32 | 000,028,672 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\eSettings.Plugin.dll MOD - [2007/06/05 10:13:14 | 000,155,648 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\eSettings.Presenter.dll MOD - [2007/06/05 10:13:04 | 000,983,040 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings\eSettings.View.dll MOD - [2007/06/05 10:12:58 | 000,032,768 | ---- | M] () -- C:\Acer\Empowering Technology\eSettings.Model.ComputerInterfaces.dll MOD - [2007/05/22 15:00:04 | 000,249,856 | ---- | M] () -- C:\Acer\Empowering Technology\eNet\eNetPlugin.dll MOD - [2007/04/25 16:31:00 | 000,028,672 | ---- | M] () -- C:\Windows\System32\BatchCrypto.dll MOD - [2007/04/25 16:30:44 | 000,063,488 | ---- | M] () -- C:\Windows\System32\ShowErrMsg.dll MOD - [2007/04/25 11:35:34 | 000,057,344 | ---- | M] () -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.DialogManager.dll MOD - [2007/04/25 11:35:10 | 000,024,576 | ---- | M] () -- C:\Acer\Empowering Technology\Acer.Empowering.Framework.PasswordSetting.dll MOD - [2007/04/11 16:42:40 | 000,307,200 | ---- | M] () -- C:\Acer\Empowering Technology\ePresentation\ePresentationCTL.dll MOD - [2007/03/14 11:00:08 | 000,831,488 | ---- | M] () -- C:\Acer\Empowering Technology\eLock\eLockCTL.dll MOD - [2007/02/13 07:26:30 | 000,016,384 | ---- | M] () -- C:\Acer\Empowering Technology\eRecovery\ServiceInterface.dll MOD - [2007/02/07 09:25:00 | 000,208,896 | ---- | M] () -- C:\Acer\Empowering Technology\ePower\SysHook.dll MOD - [2003/06/06 22:30:08 | 000,057,344 | ---- | M] () -- C:\Program Files\Launch Manager\PowerUtl.dll ========== Win32 Services (SafeList) ========== SRV - [2010/08/05 09:46:02 | 000,583,640 | ---- | M] (PC Tools) [Auto | Running] -- C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe -- (PCToolsSSDMonitorSvc) SRV - [2009/03/30 14:07:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (CLTNetCnService) SRV - [2009/03/30 14:07:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccSetMgr) SRV - [2009/03/30 14:07:34 | 000,108,392 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe -- (ccEvtMgr) SRV - [2009/03/30 14:07:32 | 002,440,120 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe -- (Symantec AntiVirus) SRV - [2009/03/30 14:07:32 | 001,795,400 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe -- (SmcService) SRV - [2009/03/30 14:07:32 | 000,320,840 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\Symantec Endpoint Protection\SNAC.EXE -- (SNAC) SRV - [2008/01/19 00:38:24 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008/01/19 00:36:49 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2008/01/19 00:36:15 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2007/08/11 20:05:27 | 003,093,872 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate) SRV - [2007/06/21 18:25:46 | 000,118,464 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe -- (CLSched) CyberLink Task Scheduler (CTS) SRV - [2007/06/21 18:25:44 | 000,257,736 | ---- | M] () [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe -- (CLCapSvc) CyberLink Background Capture Service (CBCS) SRV - [2007/06/21 18:24:12 | 001,076,832 | ---- | M] (Cyberlink) [Auto | Running] -- C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe -- (CyberLink Media Library Service) SRV - [2007/06/05 10:13:28 | 000,024,576 | ---- | M] () [Auto | Running] -- C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe -- (eSettingsService) SRV - [2007/05/22 15:00:02 | 000,135,168 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eNet\eNet Service.exe -- (eNet Service) SRV - [2007/05/16 22:15:22 | 000,163,840 | ---- | M] (acer) [Auto | Running] -- C:\Acer\Empowering Technology\ePower\ePowerSvc.exe -- (WMIService) SRV - [2007/04/25 16:34:30 | 000,457,512 | ---- | M] (HiTRSUT) [Auto | Running] -- C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe -- (eDataSecurity Service) SRV - [2007/03/14 10:52:30 | 000,024,576 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe -- (eLockService) SRV - [2007/02/13 07:26:50 | 000,053,248 | ---- | M] (Acer Inc.) [Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe -- (eRecoveryService) SRV - [2007/01/26 14:24:42 | 000,050,688 | ---- | M] () [Auto | Running] -- C:\Acer\ALaunch\ALaunchSvc.exe -- (ALaunchService) SRV - [2006/11/24 12:57:54 | 000,107,008 | ---- | M] () [Auto | Running] -- C:\Acer\Mobility Center\MobilityService.exe -- (MobilityService) SRV - [2006/10/04 21:10:12 | 000,009,216 | ---- | M] (Agere Systems) [Auto | Running] -- C:\Windows\System32\agrsmsvc.exe -- (AgereModemAudio) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Unknown] -- C:\Users\Linda\AppData\Local\Temp\mbr.sys -- (mbr) DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme) DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\blbdrive.sys -- (blbdrive) DRV - [2012/05/31 01:00:00 | 000,376,480 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys -- (eeCtrl) DRV - [2012/05/31 01:00:00 | 000,106,656 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys -- (EraserUtilRebootDrv) DRV - [2012/05/16 01:00:00 | 001,589,752 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120628.018\NAVEX15.SYS -- (NAVEX15) DRV - [2012/05/16 01:00:00 | 000,087,928 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\ProgramData\Symantec\Definitions\VirusDefs\20120628.018\NAVENG.SYS -- (NAVENG) DRV - [2009/07/10 13:56:59 | 000,123,952 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SYMEVENT.SYS -- (SymEvent) DRV - [2009/03/30 17:53:56 | 000,087,536 | ---- | M] (CyberLink Corp.) [2009/07/10 11:11:27] [Kernel | Auto | Running] -- C:\Program Files\CyberLink\PowerDVD9\000.fcl -- ({B154377D-700F-42cc-9474-23858FBDF4BD}) DRV - [2009/03/30 14:07:34 | 000,319,664 | ---- | M] (Symantec Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\srtspl.sys -- (SRTSPL) DRV - [2009/03/30 14:07:34 | 000,279,600 | ---- | M] (Symantec Corporation) [File_System | System | Running] -- C:\Windows\System32\drivers\srtsp.sys -- (SRTSP) DRV - [2009/03/30 14:07:34 | 000,043,824 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\srtspx.sys -- (SRTSPX) DRV - [2009/03/30 14:07:28 | 000,420,400 | ---- | M] (Symantec Corporation) [Kernel | System | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys -- (SPBBCDrv) DRV - [2007/06/18 03:03:32 | 000,737,280 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr) DRV - [2007/06/13 19:33:26 | 000,154,624 | ---- | M] (Alps Electric Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Apfiltr.sys -- (ApfiltrService) DRV - [2007/03/08 23:56:04 | 001,163,616 | ---- | M] (Agere Systems) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem) DRV - [2007/01/29 22:23:30 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) DRV - [2006/12/07 19:12:02 | 000,076,584 | ---- | M] () [Kernel | Auto | Running] -- C:\Acer\Empowering Technology\eRecovery\int15.sys -- (int15) DRV - [2006/11/02 06:27:36 | 000,020,112 | ---- | M] (Dritek System Inc.) [Kernel | System | Running] -- C:\Program Files\Launch Manager\DPortIO.sys -- (DritekPortIO) DRV - [2006/09/19 17:47:04 | 000,080,744 | ---- | M] (Wasay) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\WSVD.sys -- (WSVD) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://en.us.acer.yahoo.com IE - HKLM\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC IE - HKLM\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7 IE - HKU\.DEFAULT\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\..\URLSearchHook: {00A6FAF6-072E-44cf-8957-5838F569A31D} - No CLSID value found IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://www.msn.com/?ocid=iehp IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-us IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 40 8A 6F 37 F2 54 CD 01 [binary data] IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..\SearchScopes,DefaultScope = {6A1806CD-94D4-4689-BA73-E35EA1EA9990} IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7GPTB_enUS288 IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = *.local ========== FireFox ========== FF - user.js - File not found FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\Windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.) FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=: File not found FF - HKLM\Software\MozillaPlugins\@Apple.com/iTunes,version=1.0: C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll () FF - HKLM\Software\MozillaPlugins\@ei.Guffins.com/Plugin: C:\Program Files\GuffinsEI\Installr\1.bin\NPu4EISB.dll File not found FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\Windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.111\npGoogleUpdate3.dll (Google Inc.) FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\m3ffxtbr@mywebsearch.com: C:\Program Files\MyWebSearch\bar\2.bin FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2011/06/27 17:42:51 | 000,000,000 | ---D | M] FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 5.0\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2011/06/27 15:09:17 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Linda\AppData\Roaming\Mozilla\Extensions [2011/06/30 17:42:09 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\j983f3bc.default\extensions [2011/06/30 17:42:09 | 000,000,000 | ---D | M] (BitDefender QuickScan) -- C:\Users\Linda\AppData\Roaming\Mozilla\Firefox\Profiles\j983f3bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360} [2011/06/27 14:51:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions [2009/09/12 03:03:05 | 000,000,000 | ---D | M] (Microsoft .NET Framework Assistant) -- C:\WINDOWS\MICROSOFT.NET\FRAMEWORK\V3.5\WINDOWS PRESENTATION FOUNDATION\DOTNETASSISTANTEXTENSION [2011/06/15 21:17:34 | 000,142,296 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll [2010/01/01 01:00:00 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml O1 HOSTS File: ([2011/06/30 12:47:47 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (ShowBarObj Class) - {83A2F9B1-01A2-4AA5-87D1-45B6B8505E96} - C:\Windows\System32\ActiveToolBand.dll (HiTRUST) O3 - HKLM\..\Toolbar: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST) O3 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..\Toolbar\ShellBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST) O3 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..\Toolbar\WebBrowser: (Acer eDataSecurity Management) - {5CBE3B7C-1E47-477E-A7DD-396DB0476E29} - C:\Windows\System32\eDStoolbar.dll (HiTRUST) O4 - HKLM..\Run: [Acer Assist Launcher] C:\Program Files\Acer Assist\launcher.exe () O4 - HKLM..\Run: [Acer Product Registration] C:\Program Files\Acer Registration\ACE1.exe (Leader Technologies) O4 - HKLM..\Run: [Acer Tour Reminder] C:\Acer\AcerTour\Reminder.exe (Acer Inc.) O4 - HKLM..\Run: [bDRegion] C:\Program Files\CyberLink\Shared Files\brs.exe (cyberlink) O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation) O4 - HKLM..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe (HiTRUST) O4 - HKLM..\Run: [LManager] C:\Program Files\Launch Manager\LManager.exe (Dritek System Inc.) O4 - HKLM..\Run: [PCMService] C:\Program Files\Acer\Acer Arcade\PCMService.exe (CyberLink Corp.) O4 - HKLM..\Run: [PDVD9LanguageShortcut] C:\Program Files\CyberLink\PowerDVD9\Language\Language.exe (CyberLink Corp.) O4 - HKLM..\Run: [RemoteControl9] C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe (CyberLink Corp.) O4 - HKLM..\Run: [RtHDVCpl] C:\Windows\RtHDVCpl.exe (Realtek Semiconductor) O4 - HKLM..\Run: [sSDMonitor] C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe (PC Tools) O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation) O4 - HKLM..\Run: [WPCUMI] C:\Windows\System32\wpcumi.exe (Microsoft Corporation) O4 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001..\Run: [Acer Tour Reminder] File not found O4 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - Startup: C:\Users\Fallon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk = File not found O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\Software\Policies\Microsoft\Internet Explorer\Control Panel present O7 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145 O7 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0 O7 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2 O7 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1 O10 - NameSpace_Catalog5\Catalog_Entries\000000000007 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.) O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Windows\System32\wpclsp.dll (Microsoft Corporation) O15 - HKU\S-1-5-21-1998233532-487228089-2655391932-1001\..Trusted Domains: 0.0.1 ([127] * in Computer) O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab (Shockwave ActiveX Control) O16 - DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} http://quickscan.bitdefender.com/qsax/qsax.cab (BitDefender QuickScan Control) O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control) O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} http://www.worldwinner.com/games/shared/wwlaunch.cab (Wwlaunch Control) O16 - DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} http://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab (P3DActiveX Control) O16 - DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} http://plugin.slingbox.com/downloads/pc/1.4.0.85/WebSlingPlayer.cab (WebSlingPlayer) O16 - DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} http://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab (FamilyFeud Control) O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{AE3C0EED-CF5E-481E-BFF7-0EEEDCC9A3BE}: DhcpNameServer = 192.168.1.1 O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{B5A6F3AD-88CD-452C-B0E8-E6FFCC8CE4B6}: DhcpNameServer = 192.168.0.1 O20 - AppInit_DLLs: (C:\Windows\System32\eNetHook.dll) - C:\Windows\System32\eNetHook.dll (acer) O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation) O24 - Desktop WallPaper: C:\Windows\Web\Wallpaper\img24.jpg O24 - Desktop BackupWallPaper: C:\Windows\Web\Wallpaper\img24.jpg O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006/09/18 14:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O34 - HKLM BootExecute: (autocheck autochk *) O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3) O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2) ========== Files/Folders - Created Within 30 Days ========== [2012/06/28 07:57:46 | 000,607,260 | R--- | C] (Swearware) -- C:\Users\Linda\Desktop\dds.scr [2012/06/28 07:24:58 | 000,000,000 | R--D | C] -- C:\Users\Linda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PowerDVD 9 [2012/06/27 20:15:58 | 000,000,000 | ---D | C] -- C:\Users\Linda\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\HiJackThis [2012/06/27 20:15:53 | 000,000,000 | ---D | C] -- C:\Program Files\Trend Micro ========== Files - Modified Within 30 Days ========== [2012/06/29 16:01:01 | 000,000,884 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2012/06/29 15:55:21 | 000,000,632 | RHS- | M] () -- C:\Users\Linda\ntuser.pol [2012/06/29 15:06:48 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2012/06/29 15:06:48 | 000,003,168 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2012/06/29 14:53:39 | 000,067,584 | ---- | M] () -- C:\Windows\bootstat.dat [2012/06/28 21:02:05 | 000,000,880 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2012/06/28 20:58:36 | 000,000,254 | ---- | M] () -- C:\Windows\tasks\RMSchedule.job [2012/06/28 08:04:55 | 000,604,502 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2012/06/28 08:04:55 | 000,104,170 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2012/06/28 07:57:49 | 000,607,260 | R--- | M] (Swearware) -- C:\Users\Linda\Desktop\dds.scr [2012/06/28 03:24:59 | 1063,329,792 | -HS- | M] () -- C:\hiberfil.sys [2012/06/27 20:15:59 | 000,001,948 | ---- | M] () -- C:\Users\Linda\Desktop\HiJackThis.lnk [2012/06/27 14:51:33 | 000,000,910 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk [2012/06/27 14:46:01 | 000,000,680 | ---- | M] () -- C:\Users\Linda\AppData\Local\d3d9caps.dat [2012/06/27 12:20:45 | 000,326,704 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT ========== Files Created - No Company Name ========== [2012/06/27 20:15:59 | 000,001,948 | ---- | C] () -- C:\Users\Linda\Desktop\HiJackThis.lnk [2011/12/26 11:47:29 | 000,005,120 | ---- | C] () -- C:\Users\Linda\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2011/06/29 16:47:29 | 000,029,239 | ---- | C] () -- C:\Users\Linda\AppData\Roaming\UserTile.png [2010/12/08 16:46:45 | 000,000,680 | ---- | C] () -- C:\Users\Linda\AppData\Local\d3d9caps.dat [2010/11/25 15:14:21 | 000,037,336 | ---- | C] () -- C:\Windows\System32\CleanMFT32.exe [2008/08/12 12:16:02 | 000,031,906 | ---- | C] () -- C:\Users\Linda\AppData\Roaming\com.kennettnet.MusicRescue4.Profiles.plist [2008/08/12 11:10:19 | 000,931,097 | ---- | C] () -- C:\Users\Linda\AppData\Roaming\com.kennettnet.MusicRescue4.plist [2008/08/09 12:04:57 | 000,000,632 | RHS- | C] () -- C:\Users\Linda\ntuser.pol ========== LOP Check ========== [2008/03/25 10:40:58 | 000,000,000 | ---D | M] -- C:\Users\Fallon\AppData\Roaming\Acer [2008/03/25 10:40:55 | 000,000,000 | ---D | M] -- C:\Users\Fallon\AppData\Roaming\Leadertech [2008/08/09 12:05:56 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\Acer [2011/12/26 11:48:52 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\DVDFab [2008/08/09 12:05:54 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\Leadertech [2011/12/29 12:15:40 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\MoveFab [2011/06/29 16:47:16 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\PeerNetworking [2011/06/30 17:42:42 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\QuickScan [2010/04/08 09:08:17 | 000,000,000 | ---D | M] -- C:\Users\Linda\AppData\Roaming\Sling Media [2012/06/28 20:58:36 | 000,000,254 | ---- | M] () -- C:\Windows\Tasks\RMSchedule.job [2012/06/28 03:23:18 | 000,032,626 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT [2010/12/20 22:31:00 | 000,000,420 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{2ECAE152-400F-4AEE-B685-F140C8E3661A}.job [2011/04/02 20:46:00 | 000,000,418 | -H-- | M] () -- C:\Windows\Tasks\User_Feed_Synchronization-{307C4116-25B9-4330-930D-E68F9CA585BB}.job ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 102 bytes -> C:\ProgramData\Temp:D1B5B4F1 < End of report >
- June 29, 2012
- 23 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

The latest MBAM log was posted above. This is after I had MBAM clean the infections detected in the previous scan. Here is the previous scan with the infections detected: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.27.11 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Linda :: FALLON-LAPTOP [administrator] 6/27/2012 2:53:03 PM mbam-log-2012-06-27 (14-53-03).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 343560 Time elapsed: 2 hour(s), 27 minute(s), 48 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 6 HKCR\CLSID\{0e32fcd4-7f06-4768-9f2b-869dc2ffffae} (PUP.FunWebProducts) -> Quarantined and deleted successfully. HKCR\TypeLib\{af25082c-7883-4ac5-9d15-784f3cfc78df} (PUP.FunWebProducts) -> Quarantined and deleted successfully. HKCR\Interface\{7906EEF8-33D6-442A-A07A-11A9A5701935} (PUP.FunWebProducts) -> Quarantined and deleted successfully. HKCR\GuffinsInstaller.Start.1 (PUP.FunWebProducts) -> Quarantined and deleted successfully. HKCR\GuffinsInstaller.Start (PUP.FunWebProducts) -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{0E32FCD4-7F06-4768-9F2B-869DC2FFFFAE} (PUP.FunWebProducts) -> Quarantined and deleted successfully. Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 2 C:\Program Files\GuffinsEI\Installr\1.bin\u4EZSETP.dll (PUP.FunWebProducts) -> Quarantined and deleted successfully. C:\Users\Fallon\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QOR9L9UR\Guffins.exe (PUP.FunWebProducts) -> Quarantined and deleted successfully. (end)
- June 29, 2012
- 23 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Yes. Combofix is the only program that detects ZA. The computer is running good. Previously, I noticed when using IE and clicking favorites the pointer slowed greatly and was jumpy. It was as if a rogue thread was logging where I wanted to go in IE. The pointer in IE favorites is now acting normally. aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software Run date: 2012-06-29 14:24:30 ----------------------------- 14:24:30.046 OS Version: Windows 5.1.2600 Service Pack 3 14:24:30.046 Number of processors: 4 586 0xF0B 14:24:30.046 ComputerName: MYPC UserName: Mark 14:24:33.078 Initialize success 14:24:37.984 AVAST engine defs: 12062902 14:24:41.859 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 14:24:41.859 Disk 0 Vendor: Hitachi_HDS5C3020ALA632 ML6OA580 Size: 1907729MB BusType: 3 14:24:41.859 Disk 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-25 14:24:41.859 Disk 1 Vendor: ST3500630AS 3.AAK Size: 476938MB BusType: 3 14:24:41.859 Disk 2 \Device\Harddisk2\DR2 -> \Device\Ide\IdeDeviceP1T1L0-2d 14:24:41.859 Disk 2 Vendor: WDC_WD7500AADS-00L5B1 01.01A01 Size: 715404MB BusType: 3 14:24:41.859 Disk 3 \Device\Harddisk3\DR3 -> \Device\Scsi\JRAID1Port4Path0Target0Lun0 14:24:41.875 Disk 3 Vendor: SATA____ 0000 Size: 305245MB BusType: 8 14:24:41.875 Disk 0 MBR read successfully 14:24:41.875 Disk 0 MBR scan 14:24:41.890 Disk 0 Windows XP default MBR code 14:24:41.890 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 1907726 MB offset 63 14:24:41.890 Disk 0 scanning sectors +3907024065 14:24:42.000 Disk 0 scanning C:\windows\system32\drivers 14:25:07.796 Service scanning 14:25:54.671 Modules scanning 14:26:05.546 Disk 0 trace - called modules: 14:26:05.578 ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS 14:26:05.593 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b4d3ab8] 14:26:05.593 3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000091[0x8b59b940] 14:26:05.593 5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8b597d98] 14:26:07.750 AVAST engine scan C:\windows 14:26:35.078 AVAST engine scan C:\windows\system32 14:32:24.937 AVAST engine scan C:\windows\system32\drivers 14:34:15.046 AVAST engine scan C:\Documents and Settings\Mark 14:37:47.890 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Mark\Desktop\MBR.dat" 14:37:47.906 The log file has been saved successfully to "C:\Documents and Settings\Mark\Desktop\aswMBR.txt"
- June 29, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Sorry about the fonts. Changed original sentence to standard font but forgot to include the space behind it so the paste resulted in italic. Here is the scan: Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.29.10 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 Mark :: MYPC [administrator] 6/29/2012 1:28:17 PM mbam-log-2012-06-29 (13-28-17).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 297475 Time elapsed: 4 minute(s), Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
- June 29, 2012
- 77 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Here it is. FYI another computer on my home network has ZeroAccess inserted into TCP/IP stack. I am concerned that it may have spread to this computer. Not sure if MBAM detects this infection. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.28.09 Windows Vista Service Pack 2 x86 NTFS Internet Explorer 9.0.8112.16421 Linda :: FALLON-LAPTOP [administrator] 6/28/2012 10:40:36 AM mbam-log-2012-06-28 (10-40-36).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 363163 Time elapsed: 1 hour(s), 21 minute(s), 15 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)
- June 29, 2012
- 23 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

It still detects AZ. ComboFix 12-06-28.03 - Mark 06/29/2012 10:56:57.15.4 - x86 Running from: c:\documents and settings\Mark\Desktop\ComboFix.exe AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-29 ))))))))))))))))))))))))))))))) . . 2012-06-28 20:07 . 2012-06-29 17:09 -------- d-----w- C:\TDSSKiller_Quarantine 2012-06-28 19:56 . 2012-06-28 19:56 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup 2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE 2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs 2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred 2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google 2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro 2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes 2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache 2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE 2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr 2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc 2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe 2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-06-27_18.29.04 ))))))))))))))))))))))))))))))))))))))))) . + 2012-06-29 17:53 . 2012-06-29 17:53 16384 c:\windows\temp\Perflib_Perfdata_97c.dat + 2012-06-29 17:57 . 2012-06-29 17:57 16384 c:\windows\temp\Perflib_Perfdata_7b4.dat + 2010-04-24 20:50 . 2012-06-29 18:11 224882 c:\windows\system32\inetsrv\MetaBase.bin + 2012-06-28 17:54 . 2012-06-28 17:54 405504 c:\windows\ERDNT\6-28-2012\Users\00000002\UsrClass.dat + 2012-06-28 17:54 . 2005-10-20 19:02 163328 c:\windows\ERDNT\6-28-2012\ERDNT.EXE + 2012-06-28 17:54 . 2012-06-28 17:54 15654912 c:\windows\ERDNT\6-28-2012\Users\00000001\ntuser.dat . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [6/28/2012 12:56 PM 32072] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] S4 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2012-06-29 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10] . 2012-06-28 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2012-06-26 c:\windows\Tasks\At1.job - c:\windows\system32\rasphonne.exe [2004-08-04 00:12] . 2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-29 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-29 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 192.168.1.1 DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q= FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-29 11:12 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(772) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(832) c:\windows\system32\RARfsClientNP.dll . Completion time: 2012-06-29 11:14:02 ComboFix-quarantined-files.txt 2012-06-29 18:14 ComboFix2.txt 2012-06-29 17:02 ComboFix3.txt 2012-06-29 00:09 ComboFix4.txt 2012-06-28 21:51 ComboFix5.txt 2012-06-29 17:11 . Pre-Run: 238,391,336,960 bytes free Post-Run: 238,358,892,544 bytes free . - - End Of File - - 5DFCB269EB6294D7ED5A84F1B35D5BFF
- June 29, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

tdsskiller was able to run from desktop this time. The log as far as I can see looks clean (enclosed). tdsskiller_log.zip
- June 29, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

No error while running DeFogger. Here is the RogueKiller log: RogueKiller V7.6.1 [06/28/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: Mark [Admin rights] Mode: Scan -- Date: 06/29/2012 08:35:24 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 0 ¤¤¤ ¤¤¤ Particular Files / Folders: ¤¤¤ ¤¤¤ Driver: [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637C36 -> HOOKED (Unknown @ 0x8A2EF198) SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x8A2EF1E0) SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x8B3AD1B8) SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x8B3E73E0) SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x8B3AB0B8) SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x8B1D3EB0) SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x8A2EF108) SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x8A2EF150) SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x89E27500) SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x8A2EEFD0) SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x8A350F78) SSDT[129] : NtOpenThreadToken @ 0x805746D2 -> HOOKED (Unknown @ 0x89E1FBB0) SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x8A351290) SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (Unknown @ 0x8A2EF2B8) SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x89E1FC80) SSDT[229] : NtSetInformationThread @ 0x80576ABD -> HOOKED (Unknown @ 0x8B3EB320) SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (Unknown @ 0x8A2EEF40) SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (Unknown @ 0x8A2EF228) SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x8A351180) SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (Unknown @ 0x8A2EF270) SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x8A2EF300) SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x8B1D54B8) ¤¤¤ Infection : ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS5C3020ALA632 +++++ --- User --- [MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69 [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST3500630AS +++++ --- User --- [MBR] 1406de26d4acd19c9b0ddec378f968d3 [bSP] 93a4ad19c181e7d325737ffc772b14db : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: WDC WD7500AADS-00L5B1 +++++ --- User --- [MBR] c83fcee3155eb6114d8c84d54c112317 [bSP] eaf482a9766f3000634a695d502e8c7f : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715402 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive3: SATA ST3320620AS SCSI Disk Device +++++ --- User --- [MBR] 0326145d3c46a04484f1aa0bb439fb72 [bSP] 6367311c297c53c8fa575c4c03192a94 : Windows XP MBR Code Partition table: 0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[4].txt >> RKreport[1].txt ; RKreport[2].txt ; RKreport[3].txt ; RKreport[4].txt
- June 29, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

It did repair the internet. Unfortunately, it still detects that zeroaccess is still there.
- June 29, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

oops. Unfortunately, still detecting zeroaccess. I'm also not able to access the internet. I am posting this from another PC. I'm guessing the tcp/ip statck need some repair.
- June 28, 2012
- 77 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Unfortunately, still detecting zeroaccess. I'm also not able to access the internet. I am posting this from another PC. I'm guessing the tcp/ip statck need some repair.
- June 28, 2012
- 23 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Attached tdsskiller log file. Below RogueKillr log. RogueKiller V7.6.1 [06/28/2012] by Tigzy mail: tigzyRK<at>gmail<dot>com Feedback: http://www.geekstogo.com/forum/files/file/413-roguekiller/ Blog: http://tigzyrk.blogspot.com Operating System: Windows XP (5.1.2600 Service Pack 3) 32 bits version Started in : Normal mode User: Mark [Admin rights] Mode: Scan -- Date: 06/28/2012 13:24:07 ¤¤¤ Bad processes: 0 ¤¤¤ ¤¤¤ Registry Entries: 4 ¤¤¤ [WallPP] HKCU\[...]\Desktop : Wallpaper () -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowUser (0) -> FOUND [HJ] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND [HJ] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND ¤¤¤ Particular Files / Folders: ¤¤¤ [ZeroAccess][FILE] @ : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\@ --> FOUND [ZeroAccess][FOLDER] U : c:\windows\installer\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\U --> FOUND [ZeroAccess][FILE] @ : c:\documents and settings\mark\local settings\application data\{f53b4e5d-be5e-dbd5-89b7-192bca81046d}\@ --> FOUND ¤¤¤ Driver: [LOADED] ¤¤¤ SSDT[12] : NtAlertResumeThread @ 0x80637C36 -> HOOKED (Unknown @ 0x8B301848) SSDT[13] : NtAlertThread @ 0x80592EFA -> HOOKED (Unknown @ 0x8B31ECB0) SSDT[17] : NtAllocateVirtualMemory @ 0x80570BC5 -> HOOKED (Unknown @ 0x8B2FC388) SSDT[43] : NtCreateMutant @ 0x80580B62 -> HOOKED (Unknown @ 0x8B327858) SSDT[53] : NtCreateThread @ 0x805860C0 -> HOOKED (Unknown @ 0x887BE260) SSDT[83] : NtFreeVirtualMemory @ 0x805710BF -> HOOKED (Unknown @ 0x8A18DA70) SSDT[89] : NtImpersonateAnonymousToken @ 0x8059BB5D -> HOOKED (Unknown @ 0x8B3016C8) SSDT[91] : NtImpersonateThread @ 0x805874C1 -> HOOKED (Unknown @ 0x8B301788) SSDT[108] : NtMapViewOfSection @ 0x8057AA19 -> HOOKED (Unknown @ 0x8B3133E0) SSDT[114] : NtOpenEvent @ 0x80589B69 -> HOOKED (Unknown @ 0x8B327798) SSDT[123] : NtOpenProcessToken @ 0x805784F6 -> HOOKED (Unknown @ 0x89CC4AB8) SSDT[129] : NtOpenThreadToken @ 0x805746D2 -> HOOKED (Unknown @ 0x89CC2670) SSDT[206] : NtResumeThread @ 0x80586737 -> HOOKED (Unknown @ 0x8985D508) SSDT[213] : NtSetContextThread @ 0x8063629D -> HOOKED (Unknown @ 0x887BD318) SSDT[228] : NtSetInformationProcess @ 0x80574B1F -> HOOKED (Unknown @ 0x8B313288) SSDT[229] : NtSetInformationThread @ 0x80576ABD -> HOOKED (Unknown @ 0x89CC2518) SSDT[253] : NtSuspendProcess @ 0x80637B7B -> HOOKED (Unknown @ 0x8B3276D8) SSDT[254] : NtSuspendThread @ 0x80637A97 -> HOOKED (Unknown @ 0x8B2FC350) SSDT[257] : NtTerminateProcess @ 0x8058E6B9 -> HOOKED (Unknown @ 0x8B2FDDC0) SSDT[258] : NtTerminateThread @ 0x80582DD9 -> HOOKED (Unknown @ 0x887BA260) SSDT[267] : NtUnmapViewOfSection @ 0x8057A5A1 -> HOOKED (Unknown @ 0x8B31F730) SSDT[277] : NtWriteVirtualMemory @ 0x805873F6 -> HOOKED (Unknown @ 0x8B31ECE8) IRP[iRP_MJ_CREATE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_CLOSE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_INTERNAL_DEVICE_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_SYSTEM_CONTROL] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) IRP[iRP_MJ_DEVICE_CHANGE] : Unknown -> HOOKED ([MAJOR] atapi.sys @ 0xF7978B40) ¤¤¤ Infection : ZeroAccess ¤¤¤ ¤¤¤ HOSTS File: ¤¤¤ 127.0.0.1 localhost ¤¤¤ MBR Check: ¤¤¤ +++++ PhysicalDrive0: Hitachi HDS5C3020ALA632 +++++ --- User --- [MBR] 643c28cbc44b82ab1d3fc24bbfdf4f69 [bSP] 57baa9068b859ee8a3cfb5a321dc6037 : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 1907726 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive1: ST3500630AS +++++ --- User --- [MBR] 1406de26d4acd19c9b0ddec378f968d3 [bSP] 93a4ad19c181e7d325737ffc772b14db : Windows XP MBR Code Partition table: 0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476929 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive2: WDC WD7500AADS-00L5B1 +++++ --- User --- [MBR] c83fcee3155eb6114d8c84d54c112317 [bSP] eaf482a9766f3000634a695d502e8c7f : Windows XP MBR Code Partition table: 0 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 715402 Mo User = LL1 ... OK! User = LL2 ... OK! +++++ PhysicalDrive3: SATA ST3320620AS SCSI Disk Device +++++ --- User --- [MBR] 0326145d3c46a04484f1aa0bb439fb72 [bSP] 6367311c297c53c8fa575c4c03192a94 : Windows XP MBR Code Partition table: 0 - [XXXXXX] LINUX-SWP (0x42) [VISIBLE] Offset (sectors): 63 | Size: 305242 Mo User = LL1 ... OK! Error reading LL2 MBR! Finished : << RKreport[1].txt >> RKreport[1].txt tdsskiller_log.zip
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

sorry missed the windows+R thing. It's working now!
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

When it rebooted it successfully ran MBAM. It removed 3 infections (see log below). Then I had to restart. I downloaded a new copy of tdsskiller to desktop. Then cut and pasted to Chameleon folder. Double clicked and nothing, didn't open. Malwarebytes Anti-Malware 1.61.0.1400 www.malwarebytes.org Database version: v2012.06.28.11 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 :: MYPC [administrator] 6/28/2012 12:14:34 PM mbam-log-2012-06-28 (12-14-34).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 298825 Time elapsed: 10 minute(s), 5 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 2 HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully. Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 1 C:\Documents and Settings\Mark\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully. (end)
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

After "%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o I get the following "Protection driver was not installed which may be caused by malware activity. Do you want to reboot the computer to install protection driver (scan will conafter reboot) (Y/N)?" I am going to do Y...nothing to lose here. Let you know what happens shortly.
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

tried running renamed rkill in safe mode. It opened cmd window and looked as if it was running normally. However, it never came back with notepad saying it completed successfully like it did in normal mode. Never the less, I still tried running renamed tdsskiller (mywinlogin.scr) still no luck.
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

rkill worked fine. However, still can't get tdskiller to open. Renamed several times, redownloaded, ran as admin. Still won't open even after rkill. Tried once in safe mode without rename and without rkill still no success.
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

TDSSKiller won't open. I am guessing the process is getting killed.
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Yes. It had to reboot as well.
- June 28, 2012
- 77 replies
Have multiple infections please help

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Prior to your last post reran in normal mode just as normal combofix. After reading your last post reran "%userprofile%\desktop\combofix.exe" /nombr in normal mode and was successful. Here is the log: ComboFix 12-06-27.01 - Mark 06/28/2012 8:40.11.4 - x86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2506 [GMT -7:00] Running from: c:\documents and settings\Mark\desktop\ComboFix.exe Command switches used :: /nombr AV: Symantec Endpoint Protection *Disabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C} . . ((((((((((((((((((((((((( Files Created from 2012-05-28 to 2012-06-28 ))))))))))))))))))))))))))))))) . . 2012-06-27 15:40 . 2012-06-27 15:40 -------- d-----w- C:\Reg_Backup 2012-06-27 15:40 . 2012-06-27 16:08 181064 ----a-w- c:\windows\PSEXESVC.EXE 2012-06-27 15:38 . 2012-06-27 15:42 -------- d-----w- C:\Tweaking.com_Windows_Repair_Logs 2012-06-26 17:40 . 2012-06-26 18:06 -------- d-----w- C:\fred 2012-06-26 15:51 . 2012-06-26 15:51 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-06-26 14:35 . 2012-06-26 14:35 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\Google 2012-06-26 14:21 . 2012-06-26 14:21 -------- d-----w- c:\program files\Trend Micro 2012-06-26 02:30 . 2012-06-26 02:30 -------- d-----w- c:\documents and settings\Administrator.MYPC\Application Data\Malwarebytes 2012-06-26 02:28 . 2012-06-26 02:28 388096 ----a-r- c:\documents and settings\Administrator.MYPC\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe 2012-06-26 02:23 . 2012-06-26 02:23 -------- d-sh--w- c:\documents and settings\Administrator.MYPC\IETldCache 2012-06-25 22:35 . 2012-06-25 22:43 -------- d-----w- c:\documents and settings\Administrator.MYPC\Local Settings\Application Data\NPE 2012-06-25 22:35 . 2012-06-25 22:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton 2012-06-25 15:04 . 2012-06-25 15:04 607260 ------r- C:\dds.scr 2012-06-07 18:14 . 2012-06-07 18:14 421200 ----a-w- c:\program files\Mozilla Firefox\msvcp100.dll 2012-06-07 18:14 . 2012-06-07 18:14 770384 ----a-w- c:\program files\Mozilla Firefox\msvcr100.dll 2012-06-05 04:49 . 2012-06-05 04:49 -------- d-----w- c:\documents and settings\Mark\Application Data\FreeArc 2012-06-05 04:46 . 2012-06-05 04:46 -------- d-----w- c:\windows\system32\3081 . . . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2012-06-27 15:10 . 2012-05-05 16:36 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe 2012-06-27 15:10 . 2011-05-20 18:21 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl 2012-06-27 15:10 . 2012-05-05 17:10 9815752 ----a-w- c:\windows\system32\FlashPlayerInstaller.exe 2012-06-02 22:19 . 2008-10-16 21:09 22040 ----a-w- c:\windows\system32\wucltui.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 329240 ----a-w- c:\windows\system32\wucltui.dll 2012-06-02 22:19 . 2009-04-12 00:25 210968 ----a-w- c:\windows\system32\wuweb.dll 2012-06-02 22:19 . 2009-04-12 00:25 219160 ----a-w- c:\windows\system32\wuaucpl.cpl 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui 2012-06-02 22:19 . 2009-04-12 00:25 53784 ----a-w- c:\windows\system32\wuauclt.exe 2012-06-02 22:19 . 2009-04-12 00:25 35864 ----a-w- c:\windows\system32\wups.dll 2012-06-02 22:19 . 2008-10-16 21:09 45080 ----a-w- c:\windows\system32\wups2.dll 2012-06-02 22:19 . 2008-10-16 21:07 15384 ----a-w- c:\windows\system32\wuapi.dll.mui 2012-06-02 22:19 . 2004-08-04 12:00 97304 ----a-w- c:\windows\system32\cdm.dll 2012-06-02 22:19 . 2008-10-16 21:07 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui 2012-06-02 22:19 . 2009-04-12 00:25 577048 ----a-w- c:\windows\system32\wuapi.dll 2012-06-02 22:19 . 2009-04-12 00:25 1933848 ----a-w- c:\windows\system32\wuaueng.dll 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_6.exe 2012-04-19 23:17 . 2012-04-19 23:17 40960 ----a-r- c:\documents and settings\Mark\Application Data\Microsoft\Installer\{F6BA8EF2-A9F8-45B7-BD59-0A15DA9F7D68}\Omron_Health_Manag_F6BA8EF2A9F845B7BD590A15DA9F7D68_5.exe 2012-04-11 13:14 . 2004-08-04 12:00 2148352 ----a-w- c:\windows\system32\ntoskrnl.exe 2012-04-11 13:12 . 2004-08-04 12:00 1862272 ----a-w- c:\windows\system32\win32k.sys 2012-04-11 12:35 . 2004-08-03 22:59 2026496 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-04 22:56 . 2011-07-28 14:38 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-06-07 18:14 . 2012-05-14 15:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll . . ((((((((((((((((((((((((((((( SnapShot@2012-06-27_18.29.04 ))))))))))))))))))))))))))))))))))))))))) . + 2012-06-28 15:37 . 2012-06-28 15:37 16384 c:\windows\temp\Perflib_Perfdata_d90.dat + 2012-06-27 22:28 . 2012-06-27 22:28 16384 c:\windows\temp\Perflib_Perfdata_830.dat + 2010-04-24 20:50 . 2012-06-28 16:20 224883 c:\windows\system32\inetsrv\MetaBase.bin . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-04-17 39408] "Messenger (Yahoo!)"="c:\progra~1\Yahoo!\MESSEN~1\YahooMessenger.exe" [2010-06-01 5252408] "H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000] "DAEMON Tools Lite"="c:\util\DAEMON Tools Lite\DTLite.exe" [2009-10-30 369200] "LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2009-06-17 2363392] "AnyDVD"="c:\program files\SlySoft\AnyDVD\AnyDVDtray.exe" [2012-03-09 5934712] . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "V0230Mon.exe"="c:\windows\system32\V0230Mon.exe" [2006-07-19 36961] "NBAgent"="c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe" [2010-02-23 1226024] "AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-06-09 24576] "hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2008-07-23 150528] "RemoteControl10"="c:\program files\CyberLink\PowerDVD10\PDVD10Serv.exe" [2010-02-03 87336] "BDRegion"="c:\program files\Cyberlink\Shared files\brs.exe" [2010-11-18 75048] "Nero MediaHome 4"="c:\program files\Nero\Nero MediaHome 4\NeroMediaHome.exe" [2008-09-11 3622184] "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592] "APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-11-13 421736] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-05-04 252136] "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-05-21 13895272] "NvMediaCenter"="NvMCTray.dll" [2011-05-21 111208] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696] "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712] "UpdatePDRShortCut"="c:\program files\CyberLink\PowerDirector10\MUITransfer\MUIStartMenu.exe" [2010-09-17 222504] "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2012-01-04 40376] "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2012-01-03 640440] "JMB36X IDE Setup"="c:\windows\RaidTool\xInsIDE.exe" [2007-03-20 36864] "36X Raid Configurer"="c:\windows\system32\xRaidSetup.exe" [2007-11-19 1966080] "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2006-10-27 434528] . c:\documents and settings\Mark\Start Menu\Programs\Startup\ Check for TWS Updates.lnk - c:\program files\Jts\WiseUpdt.exe [2011-9-7 194775] . c:\documents and settings\All Users\Start Menu\Programs\Startup\ Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2011-6-24 113664] Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2009-7-29 607584] HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2010-5-28 276328] Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-12 83360] TotalMedia Server.lnk - c:\program files\ArcSoft\TotalMedia Theatre 5\TotalMedia Server\TM Server.exe [2011-8-17 519744] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "EnableLinkedConnections"= 1 (0x1) "DisableRegedit"= 0 (0x0) . [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) . [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\system] "DisableRegedit"= 0 (0x0) . [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 21:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll . [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus] "DisableMonitoring"=dword:00000001 . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\ArcSoft\\TotalMedia Theatre 5\\TotalMedia Server\\TM Server.exe"= "c:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"= "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"= . [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "50000:UDP"= 50000:UDP:IHA_MessageCenter . R0 sptd;sptd;\SystemRoot\\SystemRoot\System32\Drivers\sptd.sys --> \SystemRoot\\SystemRoot\System32\Drivers\sptd.sys [?] R0 stcvsm;stcvsm;c:\windows\system32\drivers\stcvsm.sys [4/11/2009 5:49 PM 113904] R1 archlp;archlp;c:\windows\system32\drivers\archlp.sys [6/27/2009 9:53 AM 96512] R1 ArcSec;archlp;c:\windows\system32\drivers\ArcSec.sys [9/21/2010 9:10 AM 192504] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632] R1 sbmount;StorageCraft Image Mount Driver;c:\windows\system32\drivers\sbmount.sys [4/11/2009 5:49 PM 79616] R2 {1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC};Power Control [2011/03/24 13:54];c:\program files\Cyberlink\PowerDVD10\NavFilter\000.fcl [11/17/2010 9:29 PM 87536] R2 {B154377D-700F-42cc-9474-23858FBDF4BD};Power Control [2009/05/31 16:45];c:\program files\Cyberlink\PowerDVD9\000.fcl [3/30/2009 5:53 PM 87536] R2 cpuz134;cpuz134;c:\windows\system32\drivers\cpuz134_x32.sys [11/18/2010 3:58 PM 20328] R2 IHA_MessageCenter;IHA_MessageCenter;c:\program files\Verizon\IHA_MessageCenter\Bin\Verizon_IHAMessageCenter.exe [5/24/2011 4:02 PM 335888] R2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [8/25/2011 5:53 PM 13672] R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [2/18/2010 3:01 PM 462632] R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [12/22/2011 4:52 PM 2214504] R2 RAInfo;RemotelyAnywhere Kernel Information Provider;c:\program files\RemotelyAnywhere\x86\rainfo.sys [4/17/2007 2:00 PM 12992] R2 RARfsDriver;RemotelyAnywhere Remote File System Driver;c:\windows\system32\drivers\RARfsDriver.sys [4/4/2010 8:20 AM 46000] R2 ShadowProtectSvc;ShadowProtect Service;c:\program files\StorageCraft\ShadowProtect\ShadowProtectSvc.exe [4/11/2009 5:49 PM 1990656] R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960] R2 sprtsvc_verizondm;SupportSoft Sprocket Service (verizondm);c:\program files\VERIZONDM\bin\sprtsvc.exe [2/1/2011 5:54 AM 206120] R2 tgsrvc_verizondm;SupportSoft Repair Service (verizondm);c:\program files\VERIZONDM\bin\tgsrvc.exe [2/1/2011 5:54 AM 185640] R2 thdudf;TOSHIBA UDF2.5 Reader File System Driver;c:\windows\system32\drivers\thdudf.sys [5/29/2009 10:02 AM 66944] R2 VSNAPVSS;StorageCraft Shadow Copy Provider;c:\windows\system32\vsnapvss.exe [4/11/2009 5:49 PM 61952] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/7/2012 7:20 PM 106656] R3 ramirr;ramirr;c:\windows\system32\drivers\ramirr.sys [4/17/2007 2:00 PM 10168] R3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [6/25/2010 12:43 AM 6272] R3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [6/25/2010 12:43 AM 500480] S2 {FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054};\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl --> c:\program files\PowerDVD8\PowerDVD8\000.fcl [?] S2 gupdate1ca0bc6b51516ae;Google Update Service (gupdate1ca0bc6b51516ae);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S2 StorageCraft Image Manager;StorageCraft Image Manager;c:\program files\StorageCraft\ImageManager\ImageManager.exe [10/24/2007 3:26 PM 69632] S2 StorageCraft Image Manager32;StorageCraft Image Manager ;c:\windows\system32\ntsdexts32.exe --> c:\windows\system32\ntsdexts32.exe [?] S3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [5/5/2012 9:36 AM 250056] S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\ambfilt.sys [8/11/2009 8:45 AM 1684736] S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/7/2011 9:11 AM 13192] S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/7/2011 9:11 AM 8456] S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/23/2009 11:52 AM 133104] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/26/2012 8:51 AM 40776] S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [5/14/2012 8:38 AM 113120] S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [5/26/2009 9:59 PM 47360] S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872] S4 RARfsClientNP;RARfsClientNP; [x] . [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost] HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12 HPService REG_MULTI_SZ HPSLPSVC hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}] 2009-06-17 19:11 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe . [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}] 2009-03-08 12:32 128512 ----a-w- c:\windows\system32\advpack.dll . Contents of the 'Scheduled Tasks' folder . 2012-06-28 c:\windows\Tasks\Adobe Flash Player Updater.job - c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-05 15:10] . 2012-06-21 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-02 19:34] . 2012-06-26 c:\windows\Tasks\At1.job - c:\windows\system32\rasphonne.exe [2004-08-04 00:12] . 2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job - c:\program files\Google\Update\GoogleUpdate.exe [2009-07-23 18:52] . 2012-06-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003Core.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-28 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1960408961-1303643608-839522115-1003UA.job - c:\documents and settings\Mark\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-29 18:37] . 2012-06-28 c:\windows\Tasks\User_Feed_Synchronization-{A7972C66-43AF-4964-A40E-32D2946479FE}.job - c:\windows\system32\msfeedssync.exe [2007-08-14 12:31] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.yahoo.com/ mStart Page = hxxp://www.yahoo.com/?fr=fp-yie8 IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html Trusted Zone: intuit.com\ttlc TCP: DhcpNameServer = 192.168.1.1 DPF: {3528A58B-595D-4AFD-A5F6-B914BD306DC3} - hxxp://dishconnectivity.sling.com/dpit/downloads/pc/SlingHealth.cab FF - ProfilePath - c:\documents and settings\Mark\Application Data\Mozilla\Firefox\Profiles\p5oo56mt.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p= FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2786678&q= FF - user.js: network.cookie.cookieBehavior - 0 FF - user.js: privacy.clearOnShutdown.cookies - false FF - user.js: security.warn_viewing_mixed - false FF - user.js: security.warn_viewing_mixed.show_once - false FF - user.js: security.warn_submit_insecure - false FF - user.js: security.warn_submit_insecure.show_once - false . . ************************************************************************** . catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2012-06-28 09:23 Windows 5.1.2600 Service Pack 3 NTFS . scanning hidden processes ... . scanning hidden autostart entries ... . scanning hidden files ... . scan completed successfully hidden files: 0 . ************************************************************************** . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{1BA31E5A-C098-42d8-8F88-3C9F78A2FDDC}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD10\NavFilter\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{B154377D-700F-42cc-9474-23858FBDF4BD}] "ImagePath"="\??\c:\program files\CyberLink\PowerDVD9\000.fcl" . [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\{FE4C91E7-22C2-4D0C-9F6B-82F1B7742054}] "ImagePath"="\??\c:\program files\PowerDVD8\PowerDVD8\000.fcl" . --------------------- LOCKED REGISTRY KEYS --------------------- . [HKEY_USERS\S-1-5-21-1960408961-1303643608-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*] @Allowed: (Read) (RestrictedCode) @Allowed: (Read) (RestrictedCode) . --------------------- DLLs Loaded Under Running Processes --------------------- . - - - - - - - > 'winlogon.exe'(812) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll c:\windows\system32\RARfsClientNP.dll . - - - - - - - > 'lsass.exe'(872) c:\windows\system32\RARfsClientNP.dll . Completion time: 2012-06-28 09:40:46 ComboFix-quarantined-files.txt 2012-06-28 16:40 ComboFix2.txt 2012-06-27 18:44 ComboFix3.txt 2011-12-20 00:00 . Pre-Run: 238,797,205,504 bytes free Post-Run: 238,864,044,032 bytes free . - - End Of File - - B73B548618553C9A44CE5C964FD630CF
- June 28, 2012
- 77 replies
Please help with this log

rysktkr replied to rysktkr's topic in Resolved Malware Removal Logs

Hi MrC, Here are the requested logs: . DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 9.0.8112.16421 Run by Linda at 8:00:24 on 2012-06-28 Microsoft® Windows Vista™ Home Basic 6.0.6002.2.1252.1.1033.18.1013.161 [GMT -7:00] . SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . ============== Running Processes =============== . C:\Windows\system32\wininit.exe C:\Windows\system32\lsm.exe C:\Windows\system32\svchost.exe -k DcomLaunch C:\Windows\system32\svchost.exe -k rpcss C:\Windows\System32\svchost.exe -k secsvcs C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted C:\Windows\system32\svchost.exe -k netsvcs C:\Windows\system32\svchost.exe -k GPSvcGroup C:\Windows\system32\SLsvc.exe C:\Windows\system32\svchost.exe -k LocalService C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe C:\Windows\system32\svchost.exe -k NetworkService C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe C:\Windows\System32\spoolsv.exe C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork C:\Windows\system32\agrsmsvc.exe C:\Acer\ALaunch\ALaunchSvc.exe C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe C:\Program Files\Acer\Acer Arcade\Kernel\CLML_NTService\CLMLServer.exe C:\Acer\Empowering Technology\eDataSecurity\eDSService.exe C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe C:\Acer\Empowering Technology\eNet\eNet Service.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Acer\Mobility Center\MobilityService.exe C:\Program Files\Common Files\PC Tools\sMonitor\StartManSvc.exe C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted C:\Windows\system32\svchost.exe -k imgsvc C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe C:\Windows\System32\svchost.exe -k WerSvcGroup C:\Windows\system32\SearchIndexer.exe C:\Windows\system32\DRIVERS\xaudio.exe C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe C:\Acer\Empowering Technology\eSettings\Service\capuserv.exe C:\Acer\Empowering Technology\ePower\ePowerSvc.exe C:\Windows\system32\wbem\wmiprvse.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe C:\Windows\system32\taskeng.exe C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation C:\Windows\system32\svchost.exe -k WindowsMobile C:\Windows\system32\taskeng.exe C:\Windows\system32\Dwm.exe C:\Windows\Explorer.EXE C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe C:\Windows\RtHDVCpl.exe C:\Acer\Empowering Technology\eDataSecurity\eDSLoader.exe C:\Program Files\Acer\Acer Arcade\PCMService.exe C:\Program Files\Launch Manager\LManager.exe C:\Program Files\Apoint2K\Apoint.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\CyberLink\PowerDVD9\PDVD9Serv.exe C:\Windows\system32\igfxext.exe C:\Windows\system32\igfxsrvc.exe C:\Program Files\CyberLink\Shared Files\brs.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Common Files\PC Tools\sMonitor\SSDMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Windows\System32\wpcumi.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\Macromed\Flash\FlashUtil11e_ActiveX.exe C:\Program Files\Google\Google Toolbar\GoogleToolbarUser_32.exe C:\Acer\Empowering Technology\ENET\ENMTRAY.EXE C:\Windows\system32\wbem\wmiprvse.exe C:\Acer\Empowering Technology\EPOWER\EPOWER_DMC.EXE C:\Acer\Empowering Technology\ACER.EMPOWERING.FRAMEWORK.SUPERVISOR.EXE C:\Acer\Empowering Technology\eRecovery\ERAGENT.EXE C:\Users\Linda\AppData\Local\Temp\RtkBtMnt.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Apoint2K\ApMsgFwd.exe C:\Program Files\Apoint2K\Apntex.exe C:\Windows\system32\SearchProtocolHost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe . ============== Pseudo HJT Report =============== . mStart Page = hxxp://en.us.acer.yahoo.com uInternet Settings,ProxyOverride = *.local mURLSearchHooks: H - No File BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll BHO: ShowBarObj Class: {83a2f9b1-01a2-4aa5-87d1-45b6b8505e96} - c:\windows\system32\ActiveToolBand.dll BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll uRun: [sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun uRun: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter uRun: [Acer Tour Reminder] uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe" mRun: [RtHDVCpl] RtHDVCpl.exe mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe mRun: [PCMService] "c:\program files\acer\acer arcade\PCMService.exe" mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe" mRun: [LManager] c:\progra~1\launch~1\LManager.exe mRun: [Apoint] c:\program files\apoint2k\Apoint.exe mRun: [Acer Product Registration] "c:\program files\acer registration\ACE1.exe" /startup mRun: [Acer Assist Launcher] c:\program files\acer assist\launcher.exe mRun: [Acer Tour Reminder] c:\acer\acertour\Reminder.exe mRun: [igfxTray] c:\windows\system32\igfxtray.exe mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe mRun: [Persistence] c:\windows\system32\igfxpers.exe mRun: [WPCUMI] c:\windows\system32\WpcUmi.exe mRun: [skytel] Skytel.exe mRun: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe mRun: [RemoteControl9] "c:\program files\cyberlink\powerdvd9\PDVD9Serv.exe" mRun: [PDVD9LanguageShortcut] "c:\program files\cyberlink\powerdvd9\language\Language.exe" mRun: [bDRegion] c:\program files\cyberlink\shared files\brs.exe mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe" mRun: [sSDMonitor] c:\program files\common files\pc tools\smonitor\SSDMonitor.exe mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe" StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\empowe~1.lnk - c:\acer\empowering technology\eAPLauncher.exe StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE mPolicies-explorer: BindDirectlyToPropertySetStorage = 0 (0x0) mPolicies-system: EnableUIADesktopToggle = 0 (0x0) IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000 LSP: c:\windows\system32\wpclsp.dll DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab DPF: {4B54A9DE-EF1C-4EBE-A328-7C28EA3B433A} - hxxp://quickscan.bitdefender.com/qsax/qsax.cab DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab DPF: {B80CD4E6-5B02-4B6C-99BE-68F1511E9549} - hxxp://plugin.slingbox.com/downloads/pc/1.4.0.85/WebSlingPlayer.cab DPF: {CF969D51-F764-4FBF-9E90-475248601C8A} - hxxp://www.worldwinner.com/games/v47/familyfeud/familyfeud.cab DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab TCP: DhcpNameServer = 192.168.1.1 TCP: Interfaces\{AE3C0EED-CF5E-481E-BFF7-0EEEDCC9A3BE} : DhcpNameServer = 192.168.1.1 TCP: Interfaces\{B5A6F3AD-88CD-452C-B0E8-E6FFCC8CE4B6} : DhcpNameServer = 192.168.0.1 Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL Notify: igfxcui - igfxdev.dll AppInit_DLLs: c:\windows\system32\eNetHook.dll . ================= FIREFOX =================== . FF - ProfilePath - c:\users\linda\appdata\roaming\mozilla\firefox\profiles\j983f3bc.default\ FF - plugin: c:\users\linda\appdata\roaming\mozilla\firefox\profiles\j983f3bc.default\extensions\{e001c731-5e37-4538-a5cb-8168736a2360}\plugins\npqscan.dll . ============= SERVICES / DRIVERS =============== . R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2007-7-31 179712] R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2012-5-31 106656] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-6-27 40776] . =============== Created Last 30 ================ . 2012-06-28 03:16:03 388096 ----a-r- c:\users\linda\appdata\roaming\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe 2012-06-28 03:15:53 -------- d-----w- c:\program files\Trend Micro 2012-06-27 21:54:35 984064 ----a-w- c:\windows\system32\crypt32.dll 2012-06-27 21:54:35 98304 ----a-w- c:\windows\system32\cryptnet.dll 2012-06-27 21:54:35 133120 ----a-w- c:\windows\system32\cryptsvc.dll 2012-06-27 21:51:47 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2012-06-26 21:25:02 56200 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{94e813c5-29a6-474b-8a7c-7c90c11cd984}\offreg.dll 2012-06-26 21:04:25 6762896 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{94e813c5-29a6-474b-8a7c-7c90c11cd984}\mpengine.dll 2012-06-26 20:54:35 180736 ----a-w- c:\windows\system32\drivers\rdpwd.sys 2012-06-26 20:53:28 2045440 ----a-w- c:\windows\system32\win32k.sys 2012-06-26 19:42:02 2422272 ----a-w- c:\windows\system32\wucltux.dll 2012-06-26 19:39:08 88576 ----a-w- c:\windows\system32\wudriver.dll 2012-06-26 19:37:37 33792 ----a-w- c:\windows\system32\wuapp.exe 2012-06-26 19:37:37 171904 ----a-w- c:\windows\system32\wuwebv.dll . ==================== Find3M ==================== . 2012-05-17 22:45:37 1800192 ----a-w- c:\windows\system32\jscript9.dll 2012-05-17 22:35:47 1129472 ----a-w- c:\windows\system32\wininet.dll 2012-05-17 22:35:39 1427968 ----a-w- c:\windows\system32\inetcpl.cpl 2012-05-17 22:29:45 142848 ----a-w- c:\windows\system32\ieUnatt.exe 2012-05-17 22:24:45 2382848 ----a-w- c:\windows\system32\mshtml.tlb 2012-04-04 22:56:40 22344 ----a-w- c:\windows\system32\drivers\mbam.sys 2012-04-03 08:16:12 3602816 ----a-w- c:\windows\system32\ntkrnlpa.exe 2012-04-03 08:16:11 3550080 ----a-w- c:\windows\system32\ntoskrnl.exe . ============= FINISH: 8:03:24.63 =============== . UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG. IF REQUESTED, ZIP IT UP & ATTACH IT . DDS (Ver_2011-08-26.01) . Microsoft® Windows Vista™ Home Basic Boot Device: \Device\HarddiskVolume2 Install Date: 11/27/2007 10:38:47 PM System Uptime: 6/28/2012 6:39:59 AM (2 hours ago) . Motherboard: Acer | | Acadia Processor: Intel® Celeron® CPU 540 @ 1.86GHz | uPGA-478 | 1862/133mhz . ==== Disk Partitions ========================= . C: is FIXED (NTFS) - 70 GiB total, 12.751 GiB free. D: is FIXED (NTFS) - 70 GiB total, 50.877 GiB free. E: is CDROM () F: is Removable . ==== Disabled Device Manager Items ============= . Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Microsoft ISATAP Adapter Device ID: ROOT\*ISATAP\0001 Manufacturer: Microsoft Name: Microsoft ISATAP Adapter #2 PNP Device ID: ROOT\*ISATAP\0001 Service: tunnel . Class GUID: {4d36e972-e325-11ce-bfc1-08002be10318} Description: Microsoft Tun Miniport Adapter Device ID: ROOT\*TUNMP\0001 Manufacturer: Microsoft Name: Microsoft Tun Miniport Adapter #2 PNP Device ID: ROOT\*TUNMP\0001 Service: tunmp . ==== System Restore Points =================== . . ==== Installed Programs ====================== . Acer Arcade Acer Assist Acer eDataSecurity Management Acer eLock Management Acer Empowering Technology Acer eNet Management Acer ePower Management Acer ePresentation Management Acer eSettings Management Acer GridVista Acer Mobility Center Plug-In Acer Registration Acer ScreenSaver Acer Tour Activation Assistant for the 2007 Microsoft Office suites Adobe Flash Player 11 ActiveX Adobe Reader 8.1.0 Adobe Shockwave Player 11.5 Agere Systems HDA Modem ALPS Touch Pad Driver Apple Application Support Apple Mobile Device Support Apple Software Update Big Kahuna Reef 2 Bonjour Bricks of Egypt CyberLink PowerDVD 9 Disney Toontown Online DVDFab 8.1.2.0 (15/09/2011) Qt Dynasty ESET Online Scanner v3 Galapago Google Toolbar for Internet Explorer Google Update Helper HiJackThis Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484) Intel® Graphics Media Accelerator Driver iTunes Jewel Quest Solitaire Launch Manager LightScribe 1.4.142.1 LiveUpdate 3.3 (Symantec Corporation) Luxor 2 MAGIX Ringtone Maker 2 e-version (US) Malwarebytes Anti-Malware version 1.61.0.1400 Microsoft .NET Framework 3.5 SP1 Microsoft .NET Framework 4 Client Profile Microsoft Office XP Professional with FrontPage Microsoft Visual C++ 2005 Redistributable Microsoft Works Microsoft XML Parser MobileMe Control Panel Mozilla Firefox 5.0 (x86 en-US) MSXML 4.0 SP2 (KB936181) MSXML 4.0 SP2 (KB941833) MSXML 4.0 SP2 (KB954430) MSXML 4.0 SP2 (KB973688) Music Rescue Mystery Case Files - Prime Suspects Mystery Case Files Ravenhearst NTI Backup NOW! 4.7 NTI CD & DVD-Maker PowerProducer 3.72 QuickTime Realtek High Definition Audio Driver Registry Mechanic 10.0 Safari Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111) Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424) Security Update for Microsoft .NET Framework 4 Client Profile (KB2446708) Security Update for Microsoft .NET Framework 4 Client Profile (KB2478663) Security Update for Microsoft .NET Framework 4 Client Profile (KB2518870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2539636) Security Update for Microsoft .NET Framework 4 Client Profile (KB2572078) Security Update for Microsoft .NET Framework 4 Client Profile (KB2604121) Security Update for Microsoft .NET Framework 4 Client Profile (KB2633870) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656351) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656368v2) Security Update for Microsoft .NET Framework 4 Client Profile (KB2656405) Security Update for Microsoft .NET Framework 4 Client Profile (KB2686827) SlingPlayer Symantec Endpoint Protection Treasures of the Deep Update for Microsoft .NET Framework 3.5 SP1 (KB963707) Update for Microsoft .NET Framework 4 Client Profile (KB2468871) Update for Microsoft .NET Framework 4 Client Profile (KB2533523) Update for Microsoft .NET Framework 4 Client Profile (KB2600217) VoiceOver Kit Warcraft III WebSlingPlayer ActiveX WinRAR archiver Zuma Deluxe . ==== Event Viewer Messages From Past Week ======== . 6/27/2012 2:41:47 PM, Error: EventLog [6008] - The previous system shutdown at 1:09:51 PM on 6/27/2012 was unexpected. 6/27/2012 12:47:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the LanmanWorkstation service. 6/27/2012 12:46:28 PM, Error: Service Control Manager [7023] - The iPod Service service terminated with the following error: Security must be initialized before any interfaces are marshalled or unmarshalled. It cannot be changed once initialized. 6/27/2012 12:45:22 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the W32Time service. 6/27/2012 12:44:56 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the FDResPub service. 6/27/2012 11:32:33 AM, Error: Service Control Manager [7022] - The Background Intelligent Transfer Service service hung on starting. 6/27/2012 11:26:20 AM, Error: EventLog [6008] - The previous system shutdown at 7:15:52 PM on 6/26/2012 was unexpected. 6/26/2012 4:54:53 PM, Error: Service Control Manager [7011] - A timeout (30000 milliseconds) was reached while waiting for a transaction response from the WerSvc service. 6/26/2012 12:14:56 PM, Error: EventLog [6008] - The previous system shutdown at 11:52:19 AM on 6/18/2012 was unexpected. 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-tw-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-hk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-zh-cn-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-uk-ua-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-tr-tr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-th-th-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sv-se-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sr-latn-cs-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sl-si-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-sk-sk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ru-ru-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ro-ro-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-pt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pt-br-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ps-ps-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-pl-pl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nl-nl-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-Neutral from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-nb-no-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lv-lv-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-lt-lt-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ko-kr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ja-jp-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-it-it-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hu-hu-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-hr-hr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-he-il-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fr-fr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-fi-fi-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-et-ee-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-es-es-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP from package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP(Feature Pack) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-en-us-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-el-gr-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-de-de-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-da-dk-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-cs-cz-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-bg-bg-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update WUClient-SelfUpdate-Aux-ar-sa-LP-Toplevel from package KBWUClient-SelfUpdate-Aux(Feature Pack) into Absent(Absent) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxResourcesLP from package WindowsUpdateClient-SelfUpdate-Aux-Package(Language Pack) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update AuxComp from package WindowsUpdateClient-SelfUpdate-Aux-Package(Update) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US(Language Pack) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4385] - Windows Servicing failed to complete the process of changing update Aux from package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package(Update) into Staged(Staged) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WUClient-SelfUpdate-Aux-Package-en-us-MiniLP (Feature Pack) into Install Requested(Install Requested) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Update) into Install Requested(Install Requested) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-Package (Language Pack) into Install Requested(Install Requested) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package_en-US (Language Pack) into Install Requested(Install Requested) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package WindowsUpdateClient-SelfUpdate-Aux-AuxComp-Package (Update) into Install Requested(Install Requested) state 6/26/2012 1:03:37 PM, Error: Microsoft-Windows-Servicing [4375] - Windows Servicing failed to complete the process of setting package KBWUClient-SelfUpdate-Aux (Feature Pack) into Install Requested(Install Requested) state . ==== End Of File ===========================
- June 28, 2012
- 23 replies

Events

Profiles

Forums

Everything posted by rysktkr

Important Information